How can someone go off-web, and anonymise themselves after a life online?

Question

With data mining tools like Maltego and other correlation tools for large data sets, if we conduct any transactions online assume that these can all be collated to build a good picture of what we do, buy, read etc (hence Google etc).

If a normal person, with a large online history decides to go off-web, is there an effective way to do this?

---

This question was featured as an Information Security Question of the Week.
Read the Jan 27, 2014 blog entry for more details or submit your own Question of the Week.

Answer 1

The problem is heuristics. All mentioned tools are built on heuristics and the only way to avoid them is to change how you live completely. You can be fingerprinted by the modules installed in your browser. By the programs you use and the frequency you use them.

These days you're going further than just online behavior. Shops know what you buy in what amounts, because nobody buys all the same brands you are getting fingerprinted constantly. This is used for targeted advertising, but it can also theoretically be used to track you.

MIT's Reality Mining project proved the same using smartphones. You prefer certain apps, you use your phone at certain intervals, you move around certain places. This all contributes to a somewhat unique pattern (back when I did some research on it during my internship we were getting 91% certainty in simulations, even when people changed their SIM card every few days we were still able to track them based on the SSIDs they encountered, places they went, apps they installed and used, when they checked their phones, Bluetooth devices they connect to, cell towers they passed at a certain moment in time and what smileys they use in text messages).

Avoiding heuristics means changing everything you do completely. Stop using the same apps, accounts, go live somewhere else and do not buy the same food from the same brands. The problem here is that this might also pop up as a special pattern because it is so atypical.

Changing your identity is the first step. The second one is not being discovered. As Thomas said the internet doesn't forget. This means that photos of you will remain online, messages you posted, maybe even IDs you shared will remain on the net. So even when changing your behavior it only will need one picture which might expose you.

Answer 2

You cannot enforce forgetfulness. The Web is like a big memory, and you cannot force it to forget everything about you(*). The only way, thus, is to change your identity so that everything the Web knows about you becomes stale. From a cryptographic point of view, this is the same case as with a secret value shared by members of a group: to evict a group member, you have to change the secret value.

_{(*) Except by applying sufficiently excessive force. A global thermonuclear war, with all the involved EMP, might do the trick, albeit with some side effects.}

Answer 3

I agree with one of the comments that one could write a book on this (I have an idea!) because this could get broad, but consider that these data mining tools (and I build them!) make some major assumptions. For instance, consider search history. One could easily build a program or a tool that would do "random" searches on topics where a person lacks interest. I've done this with Google where a program will search for dogs, dog food or dog treats and months later, I suddenly see these advertisements appearing everywhere.

if we conduct any transactions online these can all be collated to build a good picture of what we do, buy, read etc

When it comes to finances, it's similar; I have to make an assumption that the data I receive are an accurate indicator of who you are. Suppose you make 1/3 or more of your purchases completely away from your interest, for instance, you're truly a Libertarian, but you decide to subscribe to a Socialist magazine. How accurate are my data then? Also, you may change in ten years, so how accurate will my data be then, unless I account for it (and how effective then is it to have all the historic data)?

Of course, we could all argue, who in the world would do that? If you've ever read Soros' The New Paradigm For Financial Markets he mentions his family went through WWII without the trouble many Jews had because, as I interpret it, his family was careful with the information they provided to others. Privacy, historically, is priceless, even if a few generations mistakenly think it's not.

As a note, this answer only addresses the above concern with money.

Answer 4

All the answers posted here are awesome. But I would like to add a few points. When you start with removing your online prints :

1. Make a list of all websites where you have accounts or which are linked to you in some way.
2. One by one, remove your personal details, friends, etc. Add misinformation - new obscure data, new friends, new interests, anything else you can think of. De-link your related accounts, re-link them to other fake ones.
3. Let the poisoned information stay for some time. Meanwhile, you could additionally change these details again. Poisoning the poisoned! Ensure that there is no visible pattern or link between any of the poisoned accounts.
4. Then you could delete all of them, again very slowly.

My idea behind this approach is what the other answers have already said, to poison the original data. I believe that all sites store your history but they won't log your 'previous' personal details like name, dob etc(I'm not sure about this, could someone confirm?)

Once you've poisoned your accounts, they should remain so for some time. Once again, how long I cannot know. Probably one or two months or more. And finally you delete those accounts, all of them.

You could also consider using some of these accounts, the less conspicuous, to spam others(most sites discard spammers as unimportant and non-human).

Ideally, when you plan on going off the web, you will have to plan in advance, start months before. It is not an easy process, and to be anonymous and remain anonymous is a very tough challenge.

Answer 5

Although you probably won't be able to delete what's already there, you could go through the other route: generate noise to cover the real information.

Create several profiles with the same name or username you have been posting online and pretend to be interested in many fields. Do is progressively, so as not to be evident.

This will work when it comes down to bury a Google search engine result, for example.

Too much information equals little information.

Answer 6

My take on this is that you have a couple of options:

Entirely change your name, behaviour, appearance, your country, your friends etc so there is no correlation between data prior to the change and post-change. Like witness protection programmes, but with everything you do, not just your physical presence. Your buying habits have to change in department stores, you may need to develop a taste in different foods...

An alternative is to take Question3CPO's answer a bit further and deliberately poison the results of any data analysis by making random or deliberately wrong choices on a significant number of your daily activities. I have a feeling this could take some years to accomplish, and once you change identity, you still can't go back to your original behaviour as the original data store may still match you.

Answer 7

Anyone who considers going off-web and changing identity should also change country imo.

Basically, move to a country that is different enough from where you currently live so that you'll be effortlessly forced to change your friends, habits, etc., in a word the signature you leave behind.

You can always return home later if you really miss it. The key is to develop new tastes and habits before doing so.

Unless you shouldn't return home at all, as is the case if home is one of the more advanced countries -- one with the likes of the NSA, or where tracking is ubiquitous.

Naturally, it helps to reduce the signature you leave around to begin with, e.g. use cash, don't leave pictures online, etc., as well as add noise to the signal you leave behind (e.g. by having a bot do random searches for you.)

Answer 8

The answer depends on how hard people are looking for you. For someone like Edward Snowden, this is quite literally impossible. With the world's best-funded and most heavily-equipped group of spies hell-bent on keeping track of you, you cannot disappear.

Other people can be lost and forgotten in their own home. If nobody is looking for you, you might as well already be dead: and in fact if you were, nobody would know.

If you have build a solid life and legacy online, then that's where your identity is: online. In such a case, your own personal bag of flesh is only attached to that identity at a few critical connection points. Photo-identification documents, perhaps; or the memories of others who know you. You could either disassociate your online identity with your physical one over time using a systematic stream of misinformation, or perhaps quietly relocate yourself to some place where records are not so systematically kept and processed. As long as you don't leave a persistent trail of breadcrumbs and nobody is watching you terribly closely, this should be reasonably simple. The proud tradition of starting a new life in a foreign land has been pursued by an uncountable host of characters over the centuries. It's as possible today as it ever has been, though the list of candidate destinations is smaller.

Answer 9

It is not possible to eradicate your online presence but you can make it so much confusing that it become difficult for anyone to connect the dots. The grugq has a few guidelines that you need to follow:

1. Put the Plumbing in first
2. Create a cover (new persona)
3. Work on the legend (history, background, supporting evidence for the persona)
4. Create sub-aliases
5. Never CONTAMINATE

You cannot delete what you post online but you can control what you put online.

1. Never reveal your operational details
2. Never reveal your plans
3. Never trust anyone
4. Never confuse recreation with hacking (or anything else you want to hide)
5. Never operate from your own home or from one place
6. Be proactively paranoid
7. Keep personal life and online life separate
8. Keep your personal environment contraband free (it allows undue attention from LEA)
9. Don't talk to LEA
10. Don't give anyone power over you (in other words don't give anyone the information which might be used for blackmailing)

You can find further details in his presentation here

Answer 10

Time.

Modify (with fake information) and/or remove information in all your web accounts. Use non-track browsers (like private window in Firefox) or Tor. And just wait.

With time, maybe 1, 2, 3 or 10 years, most of your information will disappear from internet.

Most of your web accounts don't want to store your information eternally because they will not have benefit.

Answer 11

If you are willing to assume a new identity and break all ties with the past then yes, you could drop off the net, change your name, and move. Create a new bank account under the new name, get a job under the new name, etc. If you never have an email account after that or go on the web again your new identity really would be off-web.

As for whether you could go off-web without taking such drastic steps then the answer is no. Many web sites have an option to delete your account but almost none take the step of removing all your previous data. Remember how many sites are "free"? Well, you paid for it by allowing them to use your data how they like as long as they like.

Legislation is no help here. Even in the EU, where privacy laws are the most strict, the EU court back in June ruled that there is no right to be forgotten. In this case Google was judged not to be required to delete data even if it was requested, as it was an aggregator and not the controller of the data.

Your online identity is there to stay, partly because that's the price you pay for a free service.

Answer 12

Anything you ever wrote or published on the Internet is there forever. Trying to remove it is futile. Hordes of robots and search engines in dozens of countries that you have never heard of have already archived it and will never let it go, however nice you may ask. A few countries (e.g. France) offer Laws under which you can ask for removal of personal information, but there is a difference between asking and being granted, and such laws extend only to the country borders, not beyond.

Also, you cannot force people to forget. Mind control is illegal, and tricky.

Information can still be lost by being drowned into an ocean of other information. The Internet at large appears to be quite good at generating terabytes of meaningless junk, but search engines have improved too, and still manage to extract and index information within all that mess. One day, entropy will win, and grant you forgetfulness of your past actions.

In the meantime, Internet is like a ultimate responsibility machine. You have to be careful. One common way to evade having to live with your misbehaviours, that many people employ, is the use of pseudonyms -- and you already know that (unless "lop" is your real name, in which case you should sue your parents for cruelty).

Answer 13

Well you can be hidden but you can not be forgotten. You can first edit then remove all the images and info on all websites. Request to Google and every other provider to delete all the info about yourself. Make your email/phone number etc hidden and so on...

However, this would only hide you from other end-users, where end-user includes hackers etc... But it is known that neither Facebook nor Google and some other companies never delete anything. Thay may take it off the internet or securely hide it, but they would never ever delete anything from their own database, and you agreed to this.

So basically, you can hide your past but you can't delete it. Big companies will always have them, and since they are mostly U.S. based, the U.S. government will have it... And if a talented hacker can get in somehow, he will have it... And even if you change your name and etc (which is a lame idea in my opinion) this wouldn't stop them, would it?

So basically, you can hide your past from your creepy gf/bf but that's pretty much it.

If you want to stay anonymous on the internet, log off...

Answer 14

I don't think it's really all that possible to remove yourself entirely. Go remove yourself from as many services you have accounts for, either by doing it yourself or asking the service provider to do it.

If you have a website, change it so that it only ever returns HTTP Response 410: http://www.hanselman.com/blog/410GoneThoughtsOnMarkDiveintomarkPilgrimsAndWhysInfosuicides.aspx. This will tell any consumers of the site that they should remove anything they have that originated from that site.

Stop posting anything by any of your online identities and hopefully people will stop reposting whatever you said, and eventually maybe the search engines will find stuff too old and they will stop indexing it. Unlikely though.

I'm sure that if you begged, pleaded, and sold your soul to them, Google might even consider listening to your request to have your identity removed from their indexes before they flag your name for further indexing. :)

Answer 15

the other alternative is to fake your death, distance yourself from all your past cyber life. change software,food and communications tastes. have someone report your social accounts as no longer in use but the ultimate decision lies in change of identity and life pattern.

Answer 16

Pack your bags, leave the country, renounce your citizenship, and become a hermit living near the pole of inaccessibility in Africa for the next 10 years. After that, few would ever recognize you, perhaps not even your own family.

Answer 17

Recent developments:

In May 2014, the European Court of Justice backed "a right to be forgotten" in a case against Google brought by a Spanish man who was offended by search results. The court said links to "irrelevant" and outdated data should be erased on request.

For an EU resident who wishes to remove all online traces about himself/herself, this ruling could be very important. Search engines and other players in the EU market will have to abide by these rules.

Answer 18

It is not possible because most services do not permit removal at all and, even if some do, it is just a declaration most of them do not really delete but just hide that data.

This is too big topic but I'll give just a few hints that such attempts are senseless:

• the laws of most countries require to store most data and accountspassed through servers for many years; it is the matter of security - just imagine the cybercrime opportunities if accounts were really deleted;
• OLAP (Online Analytical Processing) databases are read-only and most approaches to data processing are that data are never deleted;
• when someone replied you in a forum with quoting, this quote with your account username quoted is still there publicly available to all even if you removed/hidden your account;

• "Yourself" is not just username(s), account(s), IPs, stored discussions, comments in isolation. It is most probably all of them (btw, interconnected and trackable) including the logo in ISPs servers about your connections to internet even during the time when you believe you are sleeping.

  Internet is not based or functioning on self-suicidal modes and as far as you connect to it, "Yourself" is part of it and attempts of self-suicide "Yourself" is synonym of killing the internet.

PS
Might be I did not understand the question.

Also, it is most probable, that we are trying to dispute the things without agreeing on common definitions of used terms first , what is also senseless.

Answer 19

Disinformation. Propaganda. Censorship.

You might still be there, but the objective is to make it too much trouble for anyone to try to find you amidst all the crap.

Answer 20

In addition to all of the above and below answers, to truly anonymise yourself you need to get a name change. That way when people meet you and search for you online, any of the accounts that you used with your real name will no longer come up (as it was your old name). However name changes are public record, so in reality it's just more "security through obscurity."